Regarding my previous post on how Palin’s email was broken into, it turns out I was dead on. Security questions are just a bad idea.

Alaska Governor and VP nominee Sara Palin’s yahoo account has been compromised, evidently by the group “anonymous“. (Is her fantasy football team okay?) I’m going to go out on a limb now and make en educated guess on how this happened. Chances are they won’t reveal how it actually occurred, but given the situation and given what I know about Yahoo email accounts, I’m fairly certain I know how it happened. Yahoo employs “security questions” if you forget your password. In the past you had to know a person’s zip code, birth date, and the answer to one “security” question to reset an account password. As of when I checked just now the procedure has changed to be just a security question. The problem for someone like Palin is that in the last month or so, every fact about her life has become public. It would be trivial to find out her zip code, birth date, and just about everything else about her that could be used as a security question. This makes it easy for a hacker to use this “security feature” to gain access to the account.

The truth is, all of those “forgot my password”links are usually great ways for hackers to break into accounts.

It looks like the first computer virus to cross into outer space is the W32.Gammima.AG worm.

As a followup to my previous post about cyber-war, it looks like the cyber-attacks against Georgia started before the Russian invasion. Although interesting, it doesn’t change the basic concept of cyber-war very much. The initial attacks garnered little attention until they were combined with conventional kinetic warfare. The reason is simple – cyber-war, on it’s own, doesn’t do a whole lot.

I got way behind on my reading over the past few days. Now that I’m catching up I noticed that TippingPoint has launched Threatlinq. a product which provides a lot of information about the global attack landscape. It looks very interesting and seems to have a lot of good data. It would be interesting to poke around in their data and try to come up with interesting conclusions, but alas it is only available to their customers. Rats.

In the spring of 2007, the world’s first real cyber-war commenced. Now, with hostilities in the same area of the world flaring up again, we appear to have the world’s second cyber-war. Although the history of cyber-war is still very new, it is interesting to note that in the first case cyber-war was performed in the absence of state sponsored military action, while in the second case it only supplemented the tanks, guns, and bombs that go along with conventional warfare. In the former case the damage may have been swift and shocking, but it was also temporary and somewhat ephemeral. No lives were lost, no infrastructure was permanently crippled. (There are however a lot of lessons learned – the postmortem interview with Estonia’s secretary of defense is highly recommended.) In the latter case, the war seems to be having serious geopolitical ramifications, but the effect of the cyber-attacks is as of yet unclear. All that we can currently say for certain is that it has helped to weaken the Georgian PR machine, which in this era of 24 hour news cycles,  UN resolutions, and the more globally connected world, is more important during wartime than ever before. What the future of cyber-war entails I clearly can’t tell for certain, but I do have a feeling that it can’t stand on it’s own. Cyber-war may get people’s attention, force societies to alter how they function in the short term, and annoy people who can’t check their bank balances, but they don’t have serious geopolitical implications when they stand on their own. Cyber-war works best when it works in concert with conventional warfare.

This year blackhat debuted the pwnie awards – given out (mostly) for massive failures in the field of information security. The candidates were nominated in July, and the winners last night, although the list of winners is not on the pwnie website as of yet. If you’re curious, a little digging revealed the award winners here. It was hard to argue with any of the winners.

Piggybacking on something I wrote about earlier, with the proliferation of WoW credential stealing bots, WoW is now offering two-factor authentication to its users. It makes sense frankly. WoW needs to keep their customers happy to keep their bottom line, and they’ve begun to realize that all passwords are inherently weak.

This is nothing more than a blatant advertisement for OWASP, but they have an upcoming conference in NYC in late September that might be of interest to people here.

A few other people have been all over this already, but TJ Maxx, victims of a rather large electronic break in a few years ago, has recently fired an employee for revealing many of their lax security policies. The issues he raised were not small ones either:

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers.

My store manager even posted the password and username on a post-it note.

Lest anyone think this employee started off on the wrong foot, he did try to tell management first, but to no avail. It was only afterwards that he mentioned these things in public. Now whether he should have done this or not is clearly a matter that could be the subject of much debate. The issue which I feel more strongly about is the way TJ Max responded.

Firing this employee is, in my opinion, the worst form of security-through-obscurity. Rather than realizing that lax policies lead to security problems, they think that it’s the revelation of lax policies that lead to security problems. A simple root cause analysis should reveal that it’s the policies, not their revelation, which is the source of security weaknesses, and it’s time for TJ Maxx to wake up.